PHP Passwords with SQL, quick question on security

#1
shackrock

Posted 29 September 2010 - 01:31 AM

Learning Programmer

Members
66 posts

Hi all.

Just a quick question. I've read several articles about MD5, hashing,salts, etc... but they all seem to say different things...

Is doing this for a SQL string used to store a user password to the database sufficient?

UPDATE tbl_user SET pass = md5('$pass')

So I guess my question:
Is the md5() PHP function alone enough to store password securely?

Thanks.

#2
Alexander

Posted 29 September 2010 - 02:07 AM

It's Science!

Moderators
4,124 posts

No, SHA1 (note the hash is 40 chars long, not 32 like MD5) is more cryptographically secure as in it has a low collision rate and lower rainbow table implementation (dictionary lists of md5's people can use to look up), but regardless of either always use a salt, it will be the most benificial to security than using hash A over hash B. The larger salt the better.

UPDATE `tbl_user` SET `pass` = SHA1('$pass.salt123%^&') WHERE ...

Your salt can be a page long, MySQL's compiled functions are faster than PHP's for perspective.

More info on what MySQL can provide:
MySQL :: MySQL 5.1 Reference Manual :: 11.13 Encryption and Compression Functions

Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.

#3
shackrock

Posted 29 September 2010 - 03:30 AM

Learning Programmer

Members
66 posts

I see. Am I correct to say that a salt is not useful if I lock the user out of the system after a few failed password attempts? This way, a dictionary hack isn't quite possible anyway?

#4
Alexander

Posted 29 September 2010 - 04:00 AM

It's Science!

Moderators
4,124 posts

We are refering to different things, for example take this MD5: e2fc714c4727ee9395f324cd2e7f331f
Now look it up on this site (A rainbow table dictionary):
md5.rednoize.com - reverse engineer md5 hashes - powered by rednoize.com

You will see that the MD5 password is "john", so if someone broke into your database you would be in trouble, as they would have simple MD5's. Adding a salt will stop that, as it's "john" plus a pile of other characters, which wouldn't likely exist in the rainbow lookup table.

Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.

#5
shackrock

Posted 29 September 2010 - 04:05 AM

Learning Programmer

Members
66 posts

Aha, I see. However, if somebody has hacked into my MySQL database, can't we assume that they also have gained access to the PHP file that contains my Salt?

#6
Alexander

Posted 29 September 2010 - 04:07 AM

It's Science!

Moderators
4,124 posts

Normally most attempts would result only in the database access itself (such as through an exploit, allowing them to access arbitrary SELECT and DUMP commands), but yes, in that case no amount of encryption/hashing/obfuscation would matter.

Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.